SELinux Background

SELinux Fundamentals

NSA's SELinux is an access control technology that has been integrated into the Linux Kernel. SELinux kernel patches exist for Linux 2.4, but are no longer maintained by the NSA. As of kernel 2.6.0-test3 SELinux is part of the standard Linux kernel although the NSA often provides additional patches for 2.6 kernels until those changes make their way into the official kernels.

In addition to the kernel modifications, tools and utilities for managing the access controls have been created. Existing applications and utilities have been modified to utilize kernel features provided by SELinux and provide information about SELinux access controls (e.g., ls has been modified to display additional new security information associated with files.)

Finally, SELinux also requires a system-wide "policy" configuration that describes what kinds of controls to enforce. This policy can be complex to create and manage, and a number of tools have been developed and are under development to simplify this task. A large example policy is provided with NSA's SELinux releases to provide a starting point.

Kerry Thompson has written an excellent introduction to SELinux for SysAdmin Magazine, and maintains a FAQ

SELinux Heritage

Researchers in the Information Assurance Research Group of the National Security Agency (NSA) worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. The NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS. The NSA and SCC then worked with the University of Utah's Flux Research Group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask.

The NSA, working with NAI Labs and MITRE integrated the Flask architecture into the Linux operating system to transfer the technology to a larger developer and user community. The NSA's SELinux was released publicly in December 2000. As a result of that work, at the Linux 2.5 Kernel Summit Linus Torvalds suggested that security functions similar to SELinux should be provided as a replaceable module. WireX Communications, in cooperation with several security projects, including SELinux, created the Linux Security Modules project to simplify the incorporation of SELinux-like security projects into the Linux kernel.

After the release of SELinux, interested developers soon began contributing help, patches, and policies to support SELinux on distributions and extend the utility of SELinux. Soon after the release of SELinux Mark Westerman provided a modified GDM to improve the use of the GUI within SELinux and contributed policy changes to allow SELinux to work with the Free-SWAN IPSEC implementation. Security identifiers were extended to label network packets by James Morris. Russell Coker integrated SELinux into the Debian distribution. Tresys Technology produced a tool to help those working with SELinux policies. Many other contributions followed.

While NSA's research group welcomed the community interest, their interest in SELinux is as a research tool and prototype. The SELinux for Distributions project (SELinux at SourceForge) was created to focus the development of the large collection of "stuff" that is necessary to fully utilize the SELinux technology in real distributions.